BSides San Francisco 2016 Highlights – Day One

This year’s conference in the beautiful city of San Francisco started off with a bang. Bright and early on a Sunday morning, a huge crowd gathered at the DNA Lounge to hear from industry leaders, innovators and aficionados.

Barlow discussed with the audience some of the reasons why he decided to write this piece and his motivations for starting the pro-privacy organization.

“I felt people needed to know what space they were in, in order to have a sense of their rights,” he said, recalling the time when he realized the federal government had discovered the Internet.

“Cyberspace had been invaded by not very bright, extremely well-armed and anti-clued people, and as such, our rights were in danger,” Barlow said.

He noted that behind the EFF was the objective to defend the first and fourth amendment – the first also applying to electronically transmitted material.

“The first amendment, along with the rest, was a set of local ordinances. Cyberspace was not going to be susceptible to those ordinances. The thing that made it so free was also the thing that made it so that rights could not be assured – in order to do so, you have to have the ability to take it away.”

Barlow also touched on the recent Apple vs. FBI debate, stating that the government was using these terrorists to “drive a wedge into the real security of the nation.”

Lastly, Barlow added that a cyber patriot is someone who believes that everybody, everywhere has the right to know.

“Cyberspace patriotism is very simply defending the open network – from the end to the end. You guys are the people who define where that end is,” he said.

The Tales of a Bug Bounty Hunter

Next up was Arne Swinnen, an IT security consultant and co-founder of Cyber Security Challenge Belgium, who walked us through his discovery of several interesting vulnerabilities in Instagram.

A bug bounty hunter for fun and profit, Swinnen explained how he was able to rack up nearly $10,000 from responsibly disclosing nine flaws in the popular app.

From attempting to hijack the instagram.com subdomain on a local network to trying to take over an account via the “change email” feature, Swinnen reported numerous issues – some reaping higher rewards than others.

One clever hack involved Swinnen earning cash by requesting Instagram to call a premium rate phone number he had registered to verifying his account. When Facebook replied saying this was not a security vulnerability but rather intentional product behavior, Swinnen responded by calculating that generating calls for 100 accounts could make him $200 per hour, $2,800 per day and a total of $144,000 a month.

Facebook then said it would fine-tune its rate limits and awarded him $2,000 for reporting the bug.

Swinnen ended his talk with a few words of advice for other bug bounty hunters out there:

The duo drilled the idea that information security is really all about people, and it’s important to understand how users think in order to better understand your role as a security practitioner.

One of the points they discussed was when and why humans cheat – people will cheat as long as they are rational about it without feeling guilty. For online hackers, for example, distance makes cheating easier to justify, as they may feel the r information they are stealing is not a real thing.

A potential solution to this, the speakers suggested, would be to make cheating more concrete and make people understand that there are real-life consequences. They also mentioned studies showing that if you remind people about moral codes or the responsibility to act correctly, cheating can be reduced.

Guest to Root: How to Hack Your Own Career Path and Stand Out

The last session I attended was by security blogger and vlogger Javvad Malik. He was enthusiastic to speak and shared with us his experiences in developing a career in the field.

He pointed out a few good habits of highly effective industry professionals, such as making others look good, instead of pulling them down; being a creator, not a consumer; and being known for the success of others, as well embracing one’s own limitations.

“What are you doing to get yourself noticed?” Malik aked. “When you leave a job, will you think about the projects that your worked on? Have you left behind enough legacy that they wouldn’t mind having you back?

He concluded by encouring us to find our niche, which he believes is the intersection between our expertise and one of our passions.

He also urged us to step outside our comfort zone, continue to acquire skills and protect your reputation.